aquasecurity · gilbode · Apr 12, 2022
@@ -53,6 +53,16 @@ func extractKsplice(v string) string {
 	return ""
 }
 
+func isFips(v string) bool {
+	subs := strings.Split(strings.ToLower(v), ".")
+	for _, s := range subs {
+		if strings.Contains(s, "_fips") {
+			return true
+		}
+	}
+	return false
+}
+
 // Detect scans and return vulnerability in Oracle scanner
 func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Oracle Linux vulnerabilities...")
@@ -80,6 +90,10 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 			if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) {
 				continue
 			}
+			// when one of them doesn't have fips, we'll also skip it
+			if isFips(adv.FixedVersion) != isFips(pkg.Release) {
+				continue
+			}
 
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{

@@ -139,6 +139,80 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:     "the installed version doesn't have fips",
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "gnutls",
+						Epoch:      10,
+						Version:    "3.6.16",
+						Release:    "4.0.1.el7_fips",
+						Arch:       "x86_64",
+						SrcName:    "gnutls",
+						SrcVersion: "3.6.16",
+						SrcRelease: "4.el7",
+					},
+				},
+			},
+			want: nil,
+		},
+		{
+			name:     "the installed version has fips",
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "gnutls",
+						Epoch:      10,
+						Version:    "3.6.16",
+						Release:    "",
+						Arch:       "x86_64",
+						SrcEpoch:   2,
+						SrcName:    "gnutls",
+						SrcVersion: "3.6.168",
+						SrcRelease: "4.0.1.el7_fips",
+					},
+				},
+			},
+			want: nil,
+		},
+		{
+			name:     "with fips",
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "gnutls",
+						Epoch:      10,
+						Version:    "3.6.16",
+						Release:    "4.0.0.el7_fips",
+						Arch:       "x86_64",
+						SrcEpoch:   10,
+						SrcName:    "gnutls",
+						SrcVersion: "3.6.16",
+						SrcRelease: "4.0.0.el7_fips",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2021-20231",
+					PkgName:          "gnutls",
+					InstalledVersion: "10:3.6.16-4.0.0.el7_fips",
+					FixedVersion:     "10:3.6.16-4.0.1.el7_fips",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.OracleOVAL,
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
+				},
+			},
+		},
 		{
 			name:     "without ksplice",
 			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},

@@ -10,3 +10,13 @@
         - key: CVE-2017-1000364
           value:
             FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+    - bucket: gnutls
+      pairs:
+        - key: CVE-2021-20231
+          value:
+            FixedVersion: "10:3.6.16-4.0.1.el7_fips"
+    - bucket: libgcrypt
+      pairs:
+        - key: CVE-2021-33560
+          value:
+            FixedVersion: "10:1.8.5-6.el7_fips"